I’m really embarrassed I let this collection of ForSec posts grow this large. There really aren’t any good excuses.
If it were any other weekend, I might take the time to break them down into a series of smaller posts, but the weather is super-nice after our recent Gulf-Coast hard-freeze and I really want to get outside and play for a bit.
So either set aside a lot of time before you get started, get a nice beverage handy, or just bookmark the monster that it is and come back when the weather outside is frightful.
Seriously, it’s that big but the material posted is also that good.
Warm Up Exercises
Practical Cyber Security Training Techniques for New IT Support Employees - (PDF link) - SANS Reading Room paper.
(IN)SECURE Magazine - Issue 40 (December 2013) Released including topics
- Testing anti-malware products
- Using Tshark for malware detection
- 5 questions for the head of a malware research team
- Malware analysis on a shoestring budget
- Report: Virus Bulletin 2013
- Digital ship pirates: Researchers crack vessel tracking system
- Exploring the challenges of malware analysis
- Evading file-based sandboxes
Doing things faster - Hexacorn blog - nice summary of personal tools and techniques used to improve your IT workflow.
Hacked Via RDP: Really Dumb Passwords — Krebs on Security
All About the Windows AutoRun
The ISC Diary has been running a series of posts on Windows auto-run techniques.
These reminded me of a very long-running series of related (and highly-detailed) posts over at the Hexacorn blog that started back in 2012 with the most recent (Part 6) posted yesterday.
- Beyond good ol’ Run key
- Beyond good ol’ Run key, Part 2
- Beyond good ol’ Run key, Part 3
- Beyond good ol’ Run key, Part 4
- Beyond good ol’ Run key, Part 5
- Beyond good ol’ Run key, Part 6
Well worth bookmarking for reading and refreshing.
Blog Posts from the Forensic Experts
Holidays and crazy winter weather hasn’t slowed the blogging production of these masters of the forsec world.
- Tools, Malware, and more conference follow-up - Windows Incident Response blog
- Sniper Forensics, Memory Analysis, and Malware Detection - Windows Incident Response blog
- Links and News - Windows Incident Response blog
- Updates - Windows Incident Response blog
- Shellbags - Windows Incident Response blog
- Quick Post - Windows Incident Response blog
Speaking of RegRipper…
Moving down the road a bit
- Linkz for Incident Response - Journey Into Incident Response blog
- Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys - Journey Into Incident Response blog - This post was particularly timely as we are moving our enterprise platform for desktop users (finally) away from Windows XP and over to Windows 7. As such, we are now having to run many legacy applications under “Compatibility Mode” settings. As more Windows users move away from XP, I suspect these keys will become more important for incident responders.
- Revealing the RecentFileCache.bcf File - Journey Into Incident Response blog
And over in the factory
- Apple Safari update and fsCachedData - Forensics from the sausage factory blog
And one last interesting post…
- Old School techniques to hide from modern-day timelines - Computer Forensics, Malware Analysis & Digital Investigations blog
Sharpen your saw on these fascinating breakdowns of malware and incident responses.
- The Case of an Obscure Injection - SpiderLabs Anterior blog
- Trust for Sale - SpiderLabs Anterior blog
- The story of a Trojan Dropper I - Zscaler Research blog
- The story of a Trojan dropper II
- The Story of a Trojan Dropper III
- The Windows 7 Event Log and USB Device Tracking -Digital Forensics Stream blog
- Malware and the Self-Deleting Batch File Method - Journey Into Incident Response blog
- 64-bit ZBOT Leverages Tor, Improves Evasion Techniques - Security Intelligence Blog
- Volatility 2.3 and FireEye's diskless, memory-only Trojan.APT.9002 - HolisticInfoSec blog
- Acquiring Memory Images with Dumpit - ISC Diary
- Malicious advertisements served via Yahoo - Fox-IT International blog
- Malware served via Yahoo affected millions - HitmanPro blog
Speaking of malware analysis, I recently found a new (to me) blog that has some great analysis posts.
- Malware Must Die! blog
The posts are quite detailed and richly illustrated. Definitely worth checking out and adding to your RSS feed pile as I have done.
Meanwhile, over at the Open Security Research blog, a new series has been started on using the debugging tool WinDBG.
- Getting Started with WinDBG - Part 1- Installation, Interface, Symbols, Remote/Local Debugging, Help, Modules, and Registers
- Getting Started with WinDBG - Part 2 - Breakpoints
- Getting Started with WinDBG - Part 3 - Inspecting Memory, Stepping Through Programs, and General Tips and Tricks
- Thesis on WinFE, shared by Alex Van Ginkel - Windows Forensic Environment blog
- Natural Progression for New Users of WinFE - Windows Forensic Environment blog
- Integrated Scripts to WinFE - Windows Forensic Environment blog
It has been forever since I last built my WinFE. I’m hoping to update it by walking through a fresh build in the next month or so. Brett Shaver’s blog site is rich with great tips and tools and documentation that makes rolling your own (stock or custom) WinFE package a piece of cake.
More ForSec LiveCD News
Back when I started blogging a lifetime ago, there were really just less than a single handful of useful forensic-focused LiveCD builds available. Most have disappeared but luckily a wealth of others sprung up to take their place. It’s all I can to do to stay on top of all the updates and releases of my favorites.
- Xplico – Xplico 1.1.0 - new build released December 27th, 2013. Download
- DEFT 2014 – News - DEFT Linux - New version 8.1 expected out in April 2014
- Kali Linux 1.0.6 Released - Kali Linux - Downloads.
Hackage & Pwnage (and other almost depressing news of late for consumers and from the thin front line)
Like about most every American, we woke up to very bad news around Christmastime with the announcement that Target had been seriously breached. The post-mortem work appears to be silently continuing but the news has been saturated with corporate data and account breaches lately. We are still waiting for our replacement cards to come in. What a drag but small price to pay. It seem like things are getting worse, but what is discouraging is that these are probably the only ones main-stream media is focusing on and people are paying attention to. These smaller breaches occur daily at businesses large and small. My only hope is that not only will excellent forensic analysis lead to applicable lessons learned to improve things (if actually deployed) but that the public will understand the sharper and narrower razor’s edge we seem to be walking down with our personal data and the dependency of data security. Of course this whole “NSA” backdrop is another fine mess but I’ll leave that for another day.
First the bad news recorded here for posterity.
- Two million stolen Facebook, Twitter, Yahoo, ADP passwords found on Pony Botnet server - ZDNet
- Hacker database exposed; thousands of stolen Facebook, Twitter, Google passwords found -ZDNet
- Found: hacker server storing two million pilfered passwords - Ars Technica
- Large Pony botnet controller discovered - Help Net Security
- Look What I Found: Moar Pony! - SpiderLabs Anterior blog
And woe the consumer…
- Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen — Krebs on Security
- Target Confirms PIN Data Also Stolen In Credit/Debit Card Hack – Consumerist
- Who’s Selling Credit Cards from Target? — Krebs on Security
- Hackers also pilfered personal data on 70 million Target customers - Ars Technica
- Target hack actually affects 70 million -- phone numbers, email addresses and more stolen - BetaNews
- Target Data Breach Possibly 110 Million, May Include People Who Didn’t Shop During Holidays – Consumerist
- The Perils of Plastic: The Problems With Debit And Credit Cards Are Deeper Than We Thought – ReadWrite
- Hackers Steal Card Data from Neiman Marcus — Krebs on Security
…and what about those SnapChat users?
- To what extent is an organisation liable when they get security wrong? - Troy Hunt’s blog - really good post as it shows how easy it could be to associate a leaked SnapChat account information with a real personal identity.
- Snapchat blames feature 'abuse' for phone number and username leak, issues no apology - Beta News
- at least until now…Snapchat - Find Friends Improvements
- Greyhats expose 4.5 million Snapchat phone numbers using “theoretical” hack (updated) - Ars Technica
- Predictably, Snapchat user database maliciously exposed - ZDNet
- Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored - ZDNet
Of course if you try to do the right thing…expect possible whack-a-mole response to your head…
- Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data - Boing Boing
- Australian Agency Calls Cops on Teenage Do-Gooder Who Reports Website Vulnerability - IEEE Spectrum
Talk about frustrating…
Have I been pwned?
Meanwhile, leave it to an Aussie to continue to fight the good fight for consumer security.
Have I been pwned? - Check if your email has been compromised in a data breach
- Introducing “Have I been pwned?” – aggregating accounts across website breaches
- Have you been pwned? Now you can be automatically told when you are!
- Searching the Snapchat data breach with “Have I been pwned?”
It’s not only a great way to stay personally informed about any security breaches but it’s a good way to show non-technical family and friends this really does impact them. Family and friends may shake their heads at the news stories, but when you have them type one of their email addresses into here and it (unfortunately) shows up…it becomes much more personal.
A few odds-and-ends in closing…
Just some odds and ends I’ve found these past weeks
FBCacheView - NirSoft - Shows Facebook images stored in the cache of your Web browser
Security Essentials for Windows XP will die when the OS does - Ars Technica - Really? Like anybody was surprised by this news.